On Nov 9, 2017, at 3:43 PM, Lukas Slebodnik
<lslebodn(a)redhat.com> wrote:
On (08/11/17 20:53), Charles Hedrick wrote:
> We want to move our net groups from NIS to IPA. I’ve loaded the groups. They’re
visible on a system that uses nslcd pointed at the IPA server. But the systems that use
SSSD for authentication don’t show anything. The net groups all show as undefined.
>
> I’ve turned on debugging and looked at the LDAP logs. It does the right quotes and
the log says it extracts the members. But they don’t show up.
>
> Any idea where to look?
>
How did you add netgroups to IPA?
Did you migrate from LDAP to IPA ("ipa migrate-ds”)
We went from a flat file to IPA. I wrote a script that did ipa netgroup-add and
ipa-netgroup-add-member.
Here’s a piece of it
ipa netgroup-add-member dcsug_servers_remus1 --hosts=cumulus.rutgers.edu
ipa netgroup-add-member dcsug_servers_remus1 --hosts=stratus.rutgers.edu
ipa netgroup-add dcsinternet_clients
ipa netgroup-add-member dcsinternet_clients --netgroups=dcsinternet_sunclients
ipa netgroup-add dcsfac_linuxclients
ipa netgroup-add-member dcsfac_linuxclients --hosts=abhib.rutgers.edu
ipa netgroup-add-member dcsfac_linuxclients --hosts=atanasoff.rutgers.edu
ipa netgroup-add-member dcsfac_linuxclients --hosts=borges.rutgers.edu
Pretty obvious.
However I discovered that all the net groups were created with a bogus nisdomain. Because
netapp documentation says to leave it blank, I cleared all the nis domains with
ipa netgroup-mod NAME —nisdomain=
That turned out to be the issue. sssd won’t show a triple unless it has a non-blank domain
entry in the domain field. This looks like a bug.
For the moment the plan is to use nslcd, i.e. ldap, for netgroups on the servers that need
net groups (just NFS servers in our case).
I don’t believe we can tell sssd to use IPA for users and groups but ldap for netgroups. I
want the features of IPA for users.
Did you add them from command line with "ipa"?
if yes then could you provide exact commands ?
LS
_______________________________________________
sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org